Opinion: Straight talk on Mac security risks

Are Macs impervious to malicious software? No. Have Macs been the subject of catastrophic attacks? No again. Should Mac users be vigilant anyway? Of course.

It’s time for me to fess up: I’ve been as complacent as most Mac users when it comes to taking precautions to safeguard my data and the integrity of my system. Although my Windows PC is swaddled in antivirus, anti-spyware, and firewall software, my Mac has been fairly undefended, up to now. I just haven’t felt much urgency to put up barriers against threats that don’t seem to exist.

But at Macworld Expo last month, I stopped by the booths of several security software vendors and began to wonder if they are pushing products people don’t need, or if they know something I don’t. After all, Mac users are just as vulnerable as anyone to the social engineering used by many computer exploits to install themselves. (While Mac fanatics will insist that they’re more sophisticated than the Wintel rabble, there are plenty of innocents in Apple-land as well.)

Justifiable confidence?

The complacency about Mac security has some basis in fact: OS X comes with many of the ports that could allow snooping closed; you have to change a System Preference to activate file sharing, personal Web hosting, or even printer sharing. If you don’t use these features, you’re protected by default. If you want to give other users access to some areas of your system, you should turn on the firewall that’s built into OS X.

The firewall is in the same System Preference window as the sharing services, and it lets you close all ports except those for services you want to allow. The firewall has some advanced features, including activity logging and a stealth mode. If enabled, the stealth mode makes your Mac invisible to incoming data inquiries, which is essentially the same thing that hardware firewalls do. If your home network includes a router with a built-in firewall, it probably gives you the same kind of protection.

Turning on OS X’s firewall is a no-brainer, but finding it isn’t. I looked for this control under the Security heading — but instead you need to click the System Preferences icon in the Dock, then click the Sharing icon in the Internet & Network section.

The Security preference in the Personal section deals with managing passwords for account access and FileVault, OS X’s built-in encryption capability. I think FileVault is a great idea, but it’s something of a blunt instrument. I would like the ability to encrypt just some folders, not all of my hard drive. And as someone who regularly forgets passwords, I’m scared of the possibility that I could irretrievably lock up the contents of my hard drive.

Another reason that Mac users tend not to worry about exploits is that Apple tends to patch discovered vulnerabilities quickly. In 2005 Apple issued nine security updates as well as product updates incorporating security patches. These patches addressed exploits that were theoretical; as with most Windows vulnerabilities, no one had used the security holes to create a worm or virus and release it into the wild.

For example, last May an independent developer revealed a proof-of-concept exploit in a Dashboard widget, but no malicious activities were reported as a result of the security hole. Within days, Apple had released a security update that fixed the problem: You are now warned with a dialog box when you download and open a widget, and you can remove them, unlike in the first iteration of Dashboard.

Like using the built-in firewall, taking advantage of OS X’s Software Update is also a no-brainer. To set up automatic updates, open System Preferences, click on Software Update in the System section, and choose an interval at which to check for updates.

Safety software

All the precautions I’ve just discussed are nonintrusive and no-cost, since they are included in the operating system. But are they enough? Just because almost no Mac vulnerabilities have turned into full-blown exploits in recent years, does that mean it won’t happen? It would be foolish to think so, and OS X’s defenses aren’t foolproof. I tried downloading the malicious widget mentioned above, and found that the system’s warning said only “do you want to install the program ‘zaptastic’”? That doesn’t tell me anything about the program or warn me that it’s potentially harmful. Only by comparing the name of the applet to a database of known viruses or spyware would I learn that I shouldn’t install it.

I checked out a spyware scanner from Securemac.com called MacScan 2.0, after speaking with the vendor at Macworld Expo and secretly thinking “Yeah, right. Mac spyware. Show me, dude.”

What the vendor showed me was a list of programs that its system had been intentionally infected with. So back at home, I downloaded a trial version of the US$25 program and scanned my system. Predictably, MacScan found no malicious apps. I checked out the company’s list of known spyware, and it consists mostly of keyloggers — programs that can be surreptitiously installed on a computer to record a user’s activities — although MacScan does identify some Trojan horses and remote dialers as well.

Since I don’t share my Mac with anybody, and there’s no one in my home office who’d want to spy on me, I don’t need to worry much about keyloggers. And I wasn’t completely satisfied with the amount of information provided by MacScan: There are generic descriptions of the various general categories of malicious software, but no information about the specific programs, such as how prevalent they are or how much damage they are capable of. Spyware scanners for Windows often give you this kind of information.

Antivirus scanner

I also tried a free, open-source antivirus scanner for OS X, called
ClamXav. I found it to be reasonably full-featured, allowing me to schedule scans and specify folders to watch. It was easy to install and run, and scanned everything on my system, including my e-mail files. When I ran it, ClamXav found a potentially harmful attachment.

Scanning e-mail is important because Mac users could unwittingly forward an infected message attachment received from a Windows user. In fact, catching and containing crud received from Windows users is currently the best reason to use a virus scanner on the Mac. I haven’t used ClamXav for long, but I’m keeping it on my Mac. I’d recommend giving it a try.

A firewall that tells too much

And then there’s
Little Snitch, a complement to the OS X firewall that monitors which programs on your system are calling out to the Internet, and through which ports. This $25 shareware has a trial that lasts for only 3 hours, but that’s probably long enough to alert you to any suspicious programs — or drive you crazy, whichever comes first.

When I tried Little Snitch, it repeatedly popped up warnings for innocent connections (such as my e-mail program sending a message) even if I checked the “allow forever” option. And Little Snitch requires a rather high degree of computer know-how: It doesn’t give you any hints as to which programs are legitimate and whether they should or shouldn’t be using a particular port. I got numerous warnings related to my system connecting to my iDisk remote storage — but they weren’t easily recognizable and could have been very worrying.

ZoneAlarm for Windows does a much better job of interpreting connections and allowing you to turn off particular alerts. Little Snitch is getting kicked off my system.

Other options

There are a handful of commercial antivirus programs and security suites for the Mac as well, including McAfee’s Virex, Symantec’s Norton Antivirus and Personal Firewall, and Intego’s collection of security products for the Mac, including ChatBarrier (an iChat encryption product), NetBarrier, and Virus Barrier.

After mulling all of this over, I think I’ve reformed a bit. I now have a few more defenses in place and a healthy caution about downloading and installing unknown files — but I’m not paranoid. I’ll fork over a donation to the developer of ClamXav, to make sure he keeps updating the product, and I’ll keep an eye on information sources like Mac Security News and MacInTouch.

Mostly, I figure that I’ll take the same reasonable, sensible security precautions that I take with my Windows PC to keep out most of the crud — and I won’t be surprised when the Mac crud inevitably surfaces.